Lancope was founded back in 2000 and is a leading provider of network visibility and security intelligence to protect enterprises against today's top threats. The StealthWatch System uses NetFlow, IPFIX and other types of network telemetry to detect a wide range of attacks from a variety of threats including APTs, DDoS, zero-day malware and insider threats. Lancope was just recently acquired by Cisco late last year but the company itself had a very close relationship with Cisco prior to that and thanks to that relationship, it integrates quite well with a variety of existing Cisco solutions. In this first post, I'm going to dig into some of the components of the StealthWatch System.

So what does StealthWatch do? It's provides context-aware security for real-time threat detection and forensic response. Through StealthWatch, one would be able to transform the network into a virtual sensor grid and correlate data sets across the organization. It provides pervasive network visibility and actionable security intelligence. With the contextual information that StealthWatch gathers, it has the ability to know every host, record every conversation, baseline the behavior of hosts, store data for months and alert an administrator to any changes.

When you think about security, typically someone thinks of the controls and tools they put into place which may include any combination or all of the following:

Firewall

IPS

ACLs

NAC

Anti-virus/Anti-Malware

SIEM

Even with all these tools, there are things they cannot see or that they may not detect which is where StealthWatch comes in. This is some of the questions I would think about:

If someone run a ping sweep across hosts on the same subnet, how are you going to detect it?

If a user starts DDoSing something in your network with what looks like legitimate traffic, will you be able to quickly detect it and be alerted on it?

If a user is authorized to download data off a server with proprietary information and they usually only download about 10Mbps a day and suddenly download 100Gbps in one day, how will you be alerted that this host is behaving outside of the norm? How do you currently detect or investigate data leaks?

If a user comes in with a worm after taking their work laptop home for the night and the worm starts propagating across the network, how will you know what hosts are infected if there is no signature?

If someone is stealing proprietary information out of your network and tunneling it through another protocol (i.e. port 53) to make it look like legitimate traffic, how do you know?

How do you investigate malware threats in your environment?

How do you investigate network performance on an endpoint if you only have the user's name?

How do you currently detect or investigate insider threats?

When you think about security threats like this, you start to see the need for something that provides anomaly detection, behavior analysis and baselining for your network as a whole. That's where StealthWatch comes in. I see StealthWatch as a tool that bridges the gap between existing security controls that are out there and provides complete visibility into what's happening in your network.

This is a high-level diagram of the StealthWatch architecture:

The minimum requirements for the StealthWatch System is a StealthWatch Management Console (SMC) and at least one FlowCollector but there are additional products that might be of assistance. I'll go over those in this blog post:

StealthWatch Management Console (SMC)

The SMC allows administrators to view, understand and act on network and security data through a single interface. SMC provides flow deduplication across flow collectors for flow table entries when queries from multiple FCs contain the same flow. This deduplication is against existing flow records queried and only affects the display of existing flow records in that document. It does not alter the storage of those records. Deduplication ensures each conversation is only counted once. It can collect data from FlowCollectors, firewalls, web proxies, IDS/IPS, and NAC systems. It’s the control center of the StealthWatch system. Available in both physical appliance or virtual appliance.

FlowCollector

The FlowCollector collects and analyzes data from existing network infrastructure to provide the complete picture of everything happening in the environment. Some of the features it can provide are:

Baselining of all IP traffic

Anomaly detection in traffic/host behavior

Layer 7 anomaly detection

Appliance or virtual deployment options

NAT stitching

P2P file sharing detection

Host and service profiling

Index-based prioritization technology

OS fingerprinting

Support for application-aware flows such as NBAR2

Support for custom applications

Closest interface determination and tracking

Deduplication of flows

Virtual environment monitoring

Host Group tracking and reporting

Router interface tracking and reporting

Bandwidth accounting and reporting

Packet-level performance metrics

QoS (DSCP) monitoring

Interface utilization alarming

Unauthorized host access detection

Unauthorized Web server detection

Misconfigured firewall detection

Combined internal and external monitoring

Full flow logging

Worm detection

Botnet detection

DoS/DDoS detection (SYN, ICMP, or UDP flood)

Fragmentation attack detection

Network scanning and reconnaissance detection

Large file transfer detection

Rogue server detection

Long term flow retention

FlowSensor (FS)

The FlowSensor will compliment data received natively from the flow-capable devices. It monitors packet data and enriches flow data which can include application ID, packet header, URL data, network/server response time detail, and the FlowSensor can also produce flow for parts of the network where there is no NetFlow-capable devices.

What does the FlowSensor do?

Identifies applications and protocols regards of whether they are:

Plain text

Advanced encryption

Obfuscation techniques

Provides application including SRT, RTT, MTTK

Packet-level metrics such as HTTP/HTTPS Header Data and packet paylod

Able to create Netflow data in environments where it is not enabled

UDP Director

The UDP Director is a high-performance appliance that receives flows and logging information from multiple locations and forwards it in a single data stream to one or more destinations. For example, if you're sending NetFlow data to LiveAction, StealthWatch, SolarWinds, and Prime, you can create 4 different exporters on each and every network device on your network and waste bandwidth or you can have it all sent to the same IP address (UDP Director) and have it replicate that information to multiple destinations.

What does the UDP Director do?

Simplifies collection of network and security data

Reduces points of failure on your network

Provides a single destination for all UDP formats on the network including Netflow, SNMP, syslog, etc

Reduces network congestion for optimum network performance

StealthWatch Labs Intelligence Center (SLIC) Threat Feed

This is a licensed feature that provides global threat intelligence from a community of experts and partners and aggregates emerging threat information from around the world. It adds an additional layer of protection from botnet command and control centers and other sophisticated attacks. This is a feed that is continuously updated.

What does the SLIC Threat Feed do?

Provides global threat intelligence from a community of 3rd-party experts and partners (StealthWatch Intelligence Center)

Aggregates emerging threat information from around the world

Adds an additional layer of protection from botnet command control centers and other sophisticated attacks

Delivers information about a full security incident

ProxyWatch

ProxyWatch is a licensed feature on StealthWatch. When you have a proxy in the environment, all the hosts will be sending traffic to that proxy from various IP addresses and that proxy will take that traffic and send it to the internet with it's IP. ProxyWatch is almost like NAT stitching for Proxys. It correlates these conversations to provide visibility on both sides of the proxy and turns the missing parts of the conversation into a complete record.

What does the ProxyWatch do?

Enhanced network visibility

Additional context around conversations

Follow the flow to actual destination

Another great thing about Lancope is that it can integrate well with ISE through pxGrid which will provide the StealthWatch system with extra contextual information about the endpoint and user on that endpoint as well as the ability to quarantine that endpoint if they are misbehaving. In later posts, I'll demonstrate how to integrate ISE and StealthWatch in my lab. In the next blog posts, I'll be going through the installation of StealthWatch, integration, and common tasks.